Professional Documents
Culture Documents
Standards
Burt Kaliski, RSA Laboratories
23rd National Information Systems
Security Conference, October 16–19, 2000
Outline
I. Background
II. Forgery and provable security
III. Contemporary signature schemes
IV. Standards strategy
Part I: Background
General Model
• Signature generation
M “valid” / “invalid”
embeds message,
applies trapdoor:
µ(M))
– s = f-1(µ
µ µ-1 • Signature verification
applies OWF, checks
against message:
s – µ-1(f(s), M) valid?
f-1 f
Scheme with Message Recovery
• Signature generation
Mr Mnr Mr or “invalid” embeds message,
applies trapdoor:
µ(Mr, Mnr))
– s = f-1(µ
µ µ-1 • Signature verification
applies OWF, checks
against Mnr, recovers
s M r:
f-1 f – Mr = µ-1(f(s), Mnr)
Embedding Properties
µ(M) = ∏ µ(Mi)^α
αi mod n
then
σ(M) = ∏ σ(Mi)^α
αi mod n
• Signature for M can thus be forged given the
signatures for M1, …, Ml under a chosen-message
attack
Small Primes Method
• Basic scheme
• ANSI X9.31
• PKCS #1 v1.5
• Bellare-Rogaway FDH
• Bellare-Rogaway PSS
• IEEE P1363a version of PSS
Basic Scheme
• µ(M) = Hash(M)
• Pedagogical design
• Insecure against multiplicative forgery for typical
hash sizes
• (Hopefully) not widely deployed
ANSI X9.31
(Digital Signatures Using Reversible Public-Key
Cryptography for the Financial Services Industry, 1998)
• µ(M) = 6b bb … bb ba || Hash(M) || 3x cc
where x = 3 for SHA-1, 1 for RIPEMD-160
• Ad hoc design
– cc octet for RW support
• Widely standardized
– IEEE 1363, ISO/IEC 14888-3
– US NIST FIPS 186-1
• Widely deployed
– SSL certificates
– S/MIME
• µ(M) = Full-Length-Hash(m)
• Provably secure design
– resists any attack where hash function is considered a
black box, provided that RSA is hard to invert
• Basic scheme
• ISO/IEC 9796-1
• ISO/IEC 9796-2
• Bellare-Rogaway PSS-R
• IEEE P1363a version of PSS-R
Basic Scheme
• µ(Mr) = Mr
• Another pedagogical design (“textbook RSA”)
• Insecure against various forgeries, including
existential forgery
– attacker can select signature s then “recover” Mr = f(s)
• Moderately standardized
ISO/IEC 9796-2
(Digital Signature Scheme Giving Message Recovery —
Mechanisms Using a Hash Function, 1997)
• µ(Mr, Mnr) ≈ 6a || Mr || H || bc
• µ(Mr) = 4b bb … bb ba || Mr || H || bc
where H = Hash (Mr, Mnr) or Hash (Mr)
– (assumes modulus length is multiple of 8)
– general format allows hash algorithm ID
• Ad hoc design
• Not resistant to multiplicative forgery if hash
value is 64 bits or less [CNS99]
– may still be appropriate for larger hash values
• Newly standardized
Bellare-Rogaway PSS-R
(Probabilistic Signature Scheme with Recovery, 1996)